Home > Vulnerability Database > CVE-2024-7646

Mend.io Vulnerability Database

CVE-2024-7646

Date: August 16, 2024

A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the "networking.k8s.io" or "extensions" API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Language: Go

Severity Score

8.8

Related Resources (6)

Url: https://github.com/kubernetes/ingress-nginx/pull/11719

Url: https://github.com/kubernetes/kubernetes/issues/126744

Url: https://groups.google.com/g/kubernetes-security-announce/c/a1__cKjWkfA

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-7646

Url: https://github.com/kubernetes/ingress-nginx/pull/11721

Url: https://www.mend.io/vulnerability-database/CVE-2024-7646

Severity Score

8.8

Weakness Type (CWE)

Improper Input Validation

CWE-20

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-7646

Date: August 16, 2024

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?